製品・ソフトウェアに関する情報

JVN脆弱性詳細

Xpdf および Poppler の ObjectStream::ObjectStream 関数における整数オーバーフローの脆弱性

Title	Xpdf および Poppler の ObjectStream::ObjectStream 関数における整数オーバーフローの脆弱性
Summary	Xpdf および Poppler の ObjectStream::ObjectStream 関数には、PDF ドキュメントの処理に不備があるため、整数オーバーフローの脆弱性が存在します。
Possible impacts	第三者に任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 15, 2009, midnight
Registration Date	Nov. 25, 2009, 12:23 p.m.
Last Update	May 26, 2010, 4:31 p.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

レッドハット

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.4.z (server)

RHEL Desktop Workstation 5 (client)

RHEL Optional Productivity Applications 5 (server)

RHEL Optional Productivity Applications EUS 5.4.z (server)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

Glyph & Cog, LLC

Xpdf 3.02pl4 未満

freedesktop.org

Poppler 0.12.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3608	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
National Vulnerability Database (NVD)
2	CVE-2009-3608	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3608

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Asianux Technical Support Network
1	cups-1.3.7-11.3.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=762
2	kdegraphics-3.5.5-3.5AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=766
3	poppler-0.5.4-4.4.11.1AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=764
4	tetex-3.0-33.8.5.0.1.AXS3	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=1040
MIRACLE LINUX アップデート情報
5	1805	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1805
Poppler
6	Top Page	http://poppler.freedesktop.org/
Red Hat Security Advisory
7	RHSA-2009:1501	https://rhn.redhat.com/errata/RHSA-2009-1501.html
8	RHSA-2009:1502	https://rhn.redhat.com/errata/RHSA-2009-1502.html
9	RHSA-2009:1503	https://rhn.redhat.com/errata/RHSA-2009-1503.html
10	RHSA-2009:1504	https://rhn.redhat.com/errata/RHSA-2009-1504.html
11	RHSA-2009:1512	https://rhn.redhat.com/errata/RHSA-2009-1512.html
12	RHSA-2009:1513	https://rhn.redhat.com/errata/RHSA-2009-1513.html
13	RHSA-2010:0400	https://rhn.redhat.com/errata/RHSA-2010-0400.html
Xpdf
14	Top Page	http://www.foolabs.com/xpdf/
レッドハットセキュリティーアップデート
15	RHSA-2009:1501	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1501J.html
16	RHSA-2009:1502	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1502J.html
17	RHSA-2009:1503	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1503J.html
18	RHSA-2009:1504	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1504J.html
19	RHSA-2009:1512	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1512J.html
20	RHSA-2009:1513	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1513J.html

その他

No	Name	URL
ISS X-Force Database
1	53794	http://xforce.iss.net/xforce/xfdb/53794
Secunia Advisory
2	SA37028	http://secunia.com/advisories/37028
3	SA37034	http://secunia.com/advisories/37034
4	SA37037	http://secunia.com/advisories/37037
5	SA37043	http://secunia.com/advisories/37043
6	SA37051	http://secunia.com/advisories/37051
7	SA37053	http://secunia.com/advisories/37053
8	SA37054	http://secunia.com/advisories/37054
9	SA37061	http://secunia.com/advisories/37061
10	SA37077	http://secunia.com/advisories/37077
11	SA37079	http://secunia.com/advisories/37079
SecurityFocus
12	36703	http://www.securityfocus.com/bid/36703
SecurityTracker
13	1023029	http://securitytracker.com/id?1023029
VUPEN Security
14	VUPEN/ADV-2009-2924	http://www.vupen.com/english/advisories/2009/2924
15	VUPEN/ADV-2009-2925	http://www.vupen.com/english/advisories/2009/2925
16	VUPEN/ADV-2009-2926	http://www.vupen.com/english/advisories/2009/2926
17	VUPEN/ADV-2009-2928	http://www.vupen.com/english/advisories/2009/2928

Change Log

No	Changed Details	Date of change
0	[2009年11月25日] 掲載 [2010年05月26日] ベンダ情報：ミラクル・リナックス (tetex-3.0-33.8.5.0.1.AXS3) を追加ベンダ情報：レッドハット (RHSA-2010:0400) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3608

Summary	Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow.
Publication Date	Oct. 22, 2009, 2:30 a.m.
Registration Date	Jan. 29, 2021, 1:24 p.m.
Last Update	Feb. 13, 2023, 11:20 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler::::::::			0.12.0
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
execution environment
1	cpe:2.3:a:glyph_and_cog:pdftops::::::::
2	cpe:2.3:a:gnome:gpdf::::::::
3	cpe:2.3:a:kde:kpdf::::::::
4	cpe:2.3:a:tetex:tetex::::::::

Related information, measures and tools

No	URL	refsource	タグ
1	ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch	CONFIRM	Patch
2	http://secunia.com/advisories/37034	SECUNIA	Vendor Advisory
3	http://www.securityfocus.com/bid/36703	BID	Exploit Patch
4	http://www.vupen.com/english/advisories/2009/2925	VUPEN	Vendor Advisory
5	http://www.vupen.com/english/advisories/2009/2926	VUPEN	Vendor Advisory
6	http://secunia.com/advisories/37054	SECUNIA	Vendor Advisory
7	http://secunia.com/advisories/37053	SECUNIA	Vendor Advisory
8	http://poppler.freedesktop.org/	CONFIRM	Patch Vendor Advisory
9	https://rhn.redhat.com/errata/RHSA-2009-1512.html	REDHAT
10	https://rhn.redhat.com/errata/RHSA-2009-1503.html	REDHAT
11	http://secunia.com/advisories/37051	SECUNIA	Vendor Advisory
12	http://secunia.com/advisories/37061	SECUNIA	Vendor Advisory
13	http://securitytracker.com/id?1023029	SECTRACK	Patch
14	http://secunia.com/advisories/37028	SECUNIA	Vendor Advisory
15	https://rhn.redhat.com/errata/RHSA-2009-1504.html	REDHAT
16	http://www.vupen.com/english/advisories/2009/2928	VUPEN	Vendor Advisory
17	https://bugzilla.redhat.com/show_bug.cgi?id=526637	CONFIRM	Patch
18	http://www.vupen.com/english/advisories/2009/2924	VUPEN	Patch Vendor Advisory
19	https://rhn.redhat.com/errata/RHSA-2009-1513.html	REDHAT
20	https://rhn.redhat.com/errata/RHSA-2009-1501.html	REDHAT
21	http://secunia.com/advisories/37037	SECUNIA	Vendor Advisory
22	http://secunia.com/advisories/37043	SECUNIA	Vendor Advisory
23	https://rhn.redhat.com/errata/RHSA-2009-1502.html	REDHAT
24	http://secunia.com/advisories/37077	SECUNIA	Vendor Advisory
25	http://www.ocert.org/advisories/ocert-2009-016.html	MISC
26	http://secunia.com/advisories/37079	SECUNIA	Vendor Advisory
27	http://www.mandriva.com/security/advisories?name=MDVSA-2009:287	MANDRIVA
28	http://secunia.com/advisories/37159	SECUNIA
29	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00750.html	FEDORA
30	https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00784.html	FEDORA
31	http://www.ubuntu.com/usn/USN-850-1	UBUNTU
32	http://secunia.com/advisories/37114	SECUNIA
33	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html	SUSE
34	http://www.debian.org/security/2009/dsa-1941	DEBIAN
35	http://www.openwall.com/lists/oss-security/2009/12/01/5	MLIST
36	http://www.openwall.com/lists/oss-security/2009/12/01/1	MLIST
37	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274030-1	SUNALERT
38	http://www.openwall.com/lists/oss-security/2009/12/01/6	MLIST
39	http://www.ubuntu.com/usn/USN-850-3	UBUNTU
40	http://www.mandriva.com/security/advisories?name=MDVSA-2009:334	MANDRIVA
41	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035340.html	FEDORA
42	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035399.html	FEDORA
43	http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035408.html	FEDORA
44	http://www.vupen.com/english/advisories/2010/0802	VUPEN
45	http://www.debian.org/security/2010/dsa-2028	DEBIAN
46	http://secunia.com/advisories/39327	SECUNIA
47	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021706.1-1	SUNALERT
48	http://www.debian.org/security/2010/dsa-2050	DEBIAN
49	http://secunia.com/advisories/39938	SECUNIA
50	http://www.vupen.com/english/advisories/2010/1220	VUPEN
51	http://www.mandriva.com/security/advisories?name=MDVSA-2011:175	MANDRIVA
52	https://exchange.xforce.ibmcloud.com/vulnerabilities/53794	XF
53	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9536	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:foolabs:xpdf:3.02pl1:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl2:::::::*
cpe:2.3:a:foolabs:xpdf:3.02pl3:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
cpe:2.3:a:glyphandcog:xpdfreader:3.02:::::::*
cpe:2.3:a:poppler:poppler::::::::			0.12.0
cpe:2.3:a:poppler:poppler:0.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.1:::::::*
cpe:2.3:a:poppler:poppler:0.1.2:::::::*
cpe:2.3:a:poppler:poppler:0.2.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.0:::::::*
cpe:2.3:a:poppler:poppler:0.3.1:::::::*
cpe:2.3:a:poppler:poppler:0.3.2:::::::*
cpe:2.3:a:poppler:poppler:0.3.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.0:::::::*
cpe:2.3:a:poppler:poppler:0.4.1:::::::*
cpe:2.3:a:poppler:poppler:0.4.2:::::::*
cpe:2.3:a:poppler:poppler:0.4.3:::::::*
cpe:2.3:a:poppler:poppler:0.4.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.0:::::::*
cpe:2.3:a:poppler:poppler:0.5.1:::::::*
cpe:2.3:a:poppler:poppler:0.5.2:::::::*
cpe:2.3:a:poppler:poppler:0.5.3:::::::*
cpe:2.3:a:poppler:poppler:0.5.4:::::::*
cpe:2.3:a:poppler:poppler:0.5.9:::::::*
cpe:2.3:a:poppler:poppler:0.6.0:::::::*
cpe:2.3:a:poppler:poppler:0.6.1:::::::*
cpe:2.3:a:poppler:poppler:0.6.2:::::::*
cpe:2.3:a:poppler:poppler:0.6.3:::::::*
cpe:2.3:a:poppler:poppler:0.6.4:::::::*
cpe:2.3:a:poppler:poppler:0.7.0:::::::*
cpe:2.3:a:poppler:poppler:0.7.1:::::::*
cpe:2.3:a:poppler:poppler:0.7.2:::::::*
cpe:2.3:a:poppler:poppler:0.7.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.0:::::::*
cpe:2.3:a:poppler:poppler:0.8.1:::::::*
cpe:2.3:a:poppler:poppler:0.8.2:::::::*
cpe:2.3:a:poppler:poppler:0.8.3:::::::*
cpe:2.3:a:poppler:poppler:0.8.4:::::::*
cpe:2.3:a:poppler:poppler:0.8.6:::::::*
cpe:2.3:a:poppler:poppler:0.8.7:::::::*
cpe:2.3:a:poppler:poppler:0.9.0:::::::*
cpe:2.3:a:poppler:poppler:0.9.1:::::::*
cpe:2.3:a:poppler:poppler:0.9.2:::::::*
cpe:2.3:a:poppler:poppler:0.9.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.0:::::::*
cpe:2.3:a:poppler:poppler:0.10.1:::::::*
cpe:2.3:a:poppler:poppler:0.10.2:::::::*
cpe:2.3:a:poppler:poppler:0.10.3:::::::*
cpe:2.3:a:poppler:poppler:0.10.4:::::::*
cpe:2.3:a:poppler:poppler:0.10.5:::::::*
cpe:2.3:a:poppler:poppler:0.10.6:::::::*
cpe:2.3:a:poppler:poppler:0.10.7:::::::*
cpe:2.3:a:poppler:poppler:0.11.0:::::::*
cpe:2.3:a:poppler:poppler:0.11.1:::::::*
cpe:2.3:a:poppler:poppler:0.11.2:::::::*
cpe:2.3:a:poppler:poppler:0.11.3:::::::*
execution environment
1	cpe:2.3:a:glyph_and_cog:pdftops::::::::
2	cpe:2.3:a:gnome:gpdf::::::::
3	cpe:2.3:a:kde:kpdf::::::::
4	cpe:2.3:a:tetex:tetex::::::::